Vulnerabilities and Predisposing Conditions

The vulnerability is a weakness in an information system, system security procedures, internal
controls, or implementation that could be exploited by a threat source.25 Most information system
vulnerabilities can be associated with security controls that either have not been applied (either
intentionally or unintentionally), or have been applied, but retain some weakness. However, it is
also important to allow for the possibility of emergent vulnerabilities that can arise naturally over
time as organizational missions/business functions evolve, environments of operation change,
new technologies proliferate, and new threats emerge. In the context of such change, existing
security controls may become inadequate and may need to be reassessed for effectiveness. The
tendency for security controls to potentially degrade in effectiveness over time reinforces the
need to maintain risk assessments during the entire system development life cycle and also the
importance of continuous monitoring programs to obtain ongoing situational awareness of the
organizational security posture.